lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 12 Jul 2006 16:22:10 +0100
From: Amelie <amelie@...-noticeably.net>
To: Bugtraq@...urityfocus.com
Subject: Re: # MHG Security Team --- PHPAskIt v2.0.1 Remote File Inc.


Hi there,

I would like to point out that the security vulnerability quoted below 
(and seen here: 
http://archives.neohapsis.com/archives/bugtraq/2006-06/0234.html - 
submitted to bugtraq on June 12, 2006) concerning the CodeGrrl.com 
script, PHPAskIt, is incorrect. I am the author of this script and can 
confidently say that no such hack can take place through the 
convertaa.php and convertwakqa.php files. This has been fully tested by 
myself and others when we became aware of the supposed vulnerability. 
The reason why a file inclusion cannot take place through the query 
string is because $qadir and $dir are defined within the script. Even 
with register_globals on, any instance of these variables declared as 
part of the query string (convertaa.php?qadir=[url to malicious script], 
for example) will be overwritten with the version in the script. The 
files work as such:

convertaa.php:

<?php
$qadir = "/home/user/public_html/somefolder/"; // Ask&Answer 
installation path (WITH trailing slash)

if (file_exists($qadir . "config.php")) { //checking for config.php in 
this folder and including it if it exists
    include($qadir . "config.php");
}
else { //if it doesn't exist
    die("<p><strong>Error:</strong> Ask&amp;Answer's 
<strong><code>config.php</code></strong> could not be found. Please make 
sure this file exists in the directory you have specified and try 
again.</p>");
}


//database conversion happens here

?>

convertwakqa.php:

<?php
$dir = "/home/user/public_html/somefolder/"; //replace with absolute 
path to your Wak's A&A directory (WITH SLASH AT THE END!)

if (file_exists($dir . "functions.php")) { //checking for a 
functions.php file in above directory and including it if it exists
    include($dir . "functions.php");
}
else {
    die("<p><strong>Error:</strong> Wak's Ask&amp;Answer's 
<strong><code>functions.php</code></strong> could not be found. Please 
make sure this file exists in your Wak's Ask&amp;Answer directory.</p>");
}
if (file_exists("../config.php")) { //checking for config.php in parent 
folder and including if exists
    include("../config.php");
}
else {
    die("<p><strong>Error:</strong> Could not find PHPAskIt's 
<strong><code>config.php</code></strong>. Without this file, the script 
cannot operate. Please makes sure it exists.</p>");
}


//database conversion

?>


As you can see, $dir and $qadir are defined and cannot be overwritten by 
additional variables in the GET array, or query string.

Furthermore, PHPAskIt 2.0+ will not run if any of the import files are 
left in place.

Please could you notify readers of any sites that may list this 
vulnerability that it is a hoax. CodeGrrl.com has recently come under 
fire for similar vulnerabilities in older scripts, and, being that 
PHPAskIt was released AFTER those were discovered, it was imperative 
that this sort of thing was avoided. Quite frankly I find it insulting 
that somebody has decided that I would be capable of leaving such a 
large security hole in my script when it was written a good three years 
after most of CodeGrrl.com's previous scripts, which contained a 
multiple file inclusion vulnerability in their password protection file, 
protection.php. I would never have left such an obvious hole in my own 
script.
It is our (CodeGrrl.com's) belief that people are spreading rumours 
about our newer scripts in an effort to further tarnish the site's 
reputation. However, PHPAskIt is NOT VULNERABLE TO REMOTE FILE INCLUSION.

Thank you for clearing this up on your site(s),

Amelie

CodeGrrl.com Staff


------------- Original Message ----------------

#########################################################
# /\/\!|_|_! |-|4|23|<47 #
#########################################################

# Milli-Harekat Advisory ( www.milli-harekat.org )

# PHPAskIt <== v2.0.1 - Remote File Include Vulnerabilities

# Risk : High

# Class: Remote

# Script : PHPAskIt v2.0.1

# Credits : ERNE erne[at]ernealizm[dot]com

# Thanks : 
Dj_ReMix,The_bekir,SpC-x,Eskobar,LiZ0zim,EntRĂ½k4,Korsan.Di_lejyoner and 
All MHG USERS

# Vulnerable :

http://www.site.com/[phpaskit_path]/import/convertaa.php?qadir=[evil_scripts] 


http://www.site.com/[phpaskit_path]/import/convertwakqa.php?dir=[evil_scripts]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ